config: Add security warning on configuration examples

Add the following text explaining the risk of using regular expressions in path lists: Each member of the list can be a regular expression, but prefer names. Otherwise, please read and understand the following carefully. SECURITY WARNING: If you use regular expressions, be mindful that an attacker could craft an annotation that uses .. to escape the paths you gave. For example, if your regexp is /bin/qemu.* then if there is a directory named /bin/qemu.d/, then an attacker can pass an annotation containing /bin/qemu.d/../put-any-binary-name-here and attack your host. Fixes: #3004 Signed-off-by: Christophe de Dinechin <[email protected]>
kata-containers · Nov 10, 2020 · fba4619 · fba4619
1 parent 92065d8
commit fba4619
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 7 deletions.
diff --git a/cli/config/configuration-acrn.toml.in b/cli/config/configuration-acrn.toml.in
@@ -17,7 +17,13 @@ kernel = "@KERNELPATH_ACRN@"
 image = "@IMAGEPATH@"
 
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@ACRNPATH@.*" ]
 
 # List of valid annotations values for ctlpath (default: empty)

diff --git a/cli/config/configuration-clh.toml.in b/cli/config/configuration-clh.toml.in
@@ -12,12 +12,19 @@
 
 [hypervisor.clh]
 path = "@CLHPATH@"
-# List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
-# path_list = [ "@CLHPATH@.*" ]
 kernel = "@KERNELPATH_CLH@"
 image = "@IMAGEPATH@"
 
+# List of valid annotations values for the hypervisor (default: empty)
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
+# path_list = [ "@CLHPATH@.*" ]
+
 # Optional space-separated list of options to pass to the guest kernel.
 # For example, use `kernel_params = "vsyscall=emulate"` if you are having
 # trouble running pre-2.15 glibc.

diff --git a/cli/config/configuration-fc.toml.in b/cli/config/configuration-fc.toml.in
@@ -16,7 +16,13 @@ kernel = "@KERNELPATH_FC@"
 image = "@IMAGEPATH@"
 
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@FCPATH@.*" ]
 
 # Path for the jailer specific to firecracker

diff --git a/cli/config/configuration-qemu-virtiofs.toml.in b/cli/config/configuration-qemu-virtiofs.toml.in
@@ -17,7 +17,13 @@ image = "@IMAGEPATH@"
 machine_type = "@MACHINETYPE@"
 
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@QEMUPATH@.*" ]
 
 # Optional space-separated list of options to pass to the guest kernel.

diff --git a/cli/config/configuration-qemu.toml.in b/cli/config/configuration-qemu.toml.in
@@ -13,7 +13,13 @@
 [hypervisor.qemu]
 path = "@QEMUPATH@"
 # List of valid annotations values for the hypervisor (default: empty)
-# Each member of the list can be a regular expression
+# Each member of the list can be a regular expression, but prefer names.
+# Otherwise, please read and understand the following carefully.
+# SECURITY WARNING: If you use regular expressions, be mindful that
+# an attacker could craft an annotation that uses .. to escape the paths
+# you gave. For example, if your regexp is /bin/qemu.* then if there is
+# a directory named /bin/qemu.d/, then an attacker can pass an annotation
+# containing /bin/qemu.d/../put-any-binary-name-here and attack your host.
 # path_list = [ "@QEMUPATH@.*" ]
 kernel = "@KERNELPATH@"
 initrd = "@INITRDPATH@"